OpenLDAP 2.0 Security Advisory

Recently a security flaw was discovered in OpenLDAP 2.0.19
slapd(8) regarding application of access controls upon
modify operations issued by authenticated users. Specifically,
slapd(8) did not disallow a replace with no values from
deleting the attribute which was protected by ACLs (if such
was allowed by checked schema rules). That is, this flaw
allowed any authenticated user to delete any non-mandatory
attribute of an object.
It is noted that this flaw is 2.0 specific. OpenLDAP 1.2
does NOT have this bug. Also, in 2.0 versions prior to 2.0.8,
this flaw is NOT restricted to authenticated users (that is,
anonymous users can abuse the flaw as well).
The issue is addressed in OpenLDAP 2.0.20 (LDAPv3). 2.0.20
is available for download as detailed by the page:
http://www.openldap.org/software/download/
Users of prior 2.0 releases should update to the latest
release as soon as possible or apply the patch provided
by the following URL:
http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/acl.c.diff?r1=1.27.2.18&r2=1.27.2.19
Users of development sources (HEAD or OPENLDAP_REL_ENG_2)
should update their copies as well.
The project would like to thank Thomas Fritz for reporting
this issue (ITS#1530).
Regards, Kurt